Attackers can exploit vulnerable programs that are running with elevated permissions to insert kernel rootkits into a system. Security mechanisms have been created to prevent kernel rootkit implantation by relocating the vulnerable physical system to a guest virtual machine and enforcing a W ⊕ KX memory access control policy from the host virtual machine monitor. Such systems must also be able to identify and authorize the introduction of known-good kernel code. Previous works use cryptographic hashes to verify the integrity of kernel code at load-time. The hash creation and verification procedure depends on immutable kernel code. However, some modern kernels contain self-patching kernel code; they may overwrite executable instructions in memory after load-time. Such dynamic patching may occur for a variety of reason including: CPU optimizations, multiprocessor compatibility adjustments, and advanced debugging. The previous hash verification procedure cannot handle such modifications. We describe the design and implementation of a procedure that verifies the integrity of each modified instruction as it is introduced into the guest kernel. Our experiments with a self-patching Linux guest kernel show that our system can correctly detect and verify all valid instruction modifications and reject all invalid ones. In most cases our patch-level verification procedure incurs only nominal performance impact.
[1]
Zhenkai Liang,et al.
Transparent Protection of Commodity OS Kernels Using Hardware Virtualization
,
2010,
SecureComm.
[2]
Brian D. Noble,et al.
When virtual is better than real [operating system relocation to virtual machines]
,
2001,
Proceedings Eighth Workshop on Hot Topics in Operating Systems.
[3]
Adrian Perrig,et al.
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
,
2007,
SOSP.
[4]
Xuxian Jiang,et al.
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
,
2008,
RAID.